Cybersecurity Has to Work in ‘Real World,’ But Change Won’t Be Easy, Simpson Tells CSRIC
The FCC further ramped up pressure on its Communications Security, Reliability & Interoperability Council Wednesday to take the lead on cybersecurity. David Simpson, chief of the Public Safety Bureau, led off the meeting, amplifying remarks FCC Chairman Tom Wheeler made last week at the American Enterprise Institute, warning that if a private-sector-based initiative doesn’t work the FCC stands ready to impose regulation (CD June 13 p1).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Simpson said some aspects of cybersecurity are bigger than any single company. Network security is also critical to public safety, he said. Cybersecurity has to work “in the real world” and the FCC is not naive about the size of the challenge companies face, he said. Improving security will take years to accomplish, he said.
"It’s really a call to industry to say ‘Let’s work together, let’s have industry lead what should be our approach as a nation to securing networks in the 21st century,'” Simpson said. Success of the strategy “will depend on you,” he said. He said while there’s also a downside “there’s really a lot more upside to getting this right.” Wheeler believes the FCC “cannot abdicate its responsibilities simply because the threats to network security have begun to arrive in new technologies,” Simpson said.
Americans “have confidence” in their networks, which have grown in importance in daily life, Simpson said. Consumers are going online to conduct “critical” financial and commercial transactions, and business depends on IP-based communications, he said. Communications providers must take “proactive, effective” steps to strengthen the security and resiliency of their networks, he said. Doing so will “bear fruit” in increased “customer loyalty” and “global competitiveness."
Companies have stepped up to enhance network security in many cases, but their efforts often aren’t transparent or measurable “to those who really need to count on you during times of great stress” or emergency, Simpson said. One of the biggest questions industry must answer is “how to measure success and assure market accountability,” he said. “What should be measured? How should it be measured?”
Several next steps are emerging, Simpson said. Companies need to “rigorously inventory” all of their exposures to security risks internally and with their business partners, he suggested. Companies must also “assess and scrutinize” these risk exposures and “develop data from those qualitative assessments to produce quantitative metrics that apply to those internal needs,” he said. Companies also need to make the right investments to lower their risks. “In short, identify the cyber-risk universe, develop internal controls, assess implementation and monitor effects,” he said. “This is how enterprise risk management has always been done across all types of risk. That part is not new.”
USTelecom Vice President Robert Mayer, co-chair of the Cybersecurity Working Group, said the group so far is looking at the National Institute of Standards and Technology cybersecurity framework and its implications for the communications sector. More than 100 industry officials have participated in the working group so far and the number is growing, Mayer said. “In our case this is taking the framework, applying it to our sector,” he said. “It’s ensuring that we retain the flexibility for individual companies, which is at the core of the framework.” The working group is looking at real world examples of how companies are using the framework, Mayer said. The group will provide “clear guidance” to industry for incorporating the framework into their risk management process, he said.
CSRIC also approved several reports from its Next Generation 911 Working Group. The reports focus on enhanced caller location information in texts to 911, recommended best practices for provisioning public safety answering points requirements to handle emergency texts and on the establishment of an entity to administer an indoor location accuracy testbed.
Among its conclusions, the 911 working group found that routing based on enhanced location information “may not be technically feasible for some of the carriers at this point,” said Co-chair Laurie Flaherty, coordinator of the National Highway Traffic Safety Administration’s National 911 program. Carrier networks vary widely, she said. CSRIC also found that adding location information may delay the routing of emergency texts and that all platforms have the technology to generate enhanced location information, Flaherty said. “The bottom line” is that “there really is no universal method for generation of advanced, more accurate enhanced location information in SMS texts,” she said. The working group recommended against any mandates from the FCC at this time before NG911 is in place.
NAB Associate General Counsel Larry Walke said the Emergency Alert System Working Group has been unable to reach agreement on the key issue of minimum specifications on the language, size of text and speed of text crawls for visual alerts. “We did our best but we lacked some expertise and a broad range of input,” he said. The working group recommended that the FCC adopt National Periodic Test (NPT) coded tests as a substitute for monthly EAS tests. “It would be less disruptive than trying to do a pretend [Emergency Action Notification] test, which would appear real to some people,” Walke said. The group also has been unable to reach conclusions on the how long future national tests should run, whether 30 seconds or longer, he said. “We recommend further study from the FCC with industry involvement.”